Stories
Slash Boxes
Comments

SoylentNews is people

posted by on Friday February 24 2017, @09:22PM   Printer-friendly
from the bug-or-hack dept.

Cloudflare, a service that helps optimize the security and performance of more than 5.5 million websites, warned customers today that a recently fixed software bug exposed a range of sensitive information that could have included passwords, and cookies and tokens used to authenticate users.

A combination of factors made the bug particularly severe. First, the leakage may have been active since September 22, nearly five months before it was discovered, although the greatest period of impact was from February 13 and February 18. Second, some of the highly sensitive data that was leaked was cached by Google and other search engines. The result was that for the entire time the bug was active, hackers had the ability to access the data in real-time, by making Web requests to affected websites, and to access some of the leaked data later by crafting queries on search engines.

"The bug was serious because the leaked memory could contain private information and because it had been cached by search engines," Cloudflare CTO John Graham-Cumming wrote in a blog post published Thursday. "We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence."

The leakage was the result of a bug in an HTML parser chain Cloudflare uses to modify Web pages as they pass through the service's edge servers. The parser performs a variety of tasks, such as inserting Google Analytics tags, converting HTTP links to the more secure HTTPS variety, obfuscating email addresses, and excluding parts of a page from malicious Web bots. When the parser was used in combination with three Cloudflare features—e-mail obfuscation, server-side Cusexcludes, and Automatic HTTPS Rewrites—it caused Cloudflare edge servers to leak pseudo random memory contents into certain HTTP responses.

Source: ArsTechnica. Also at TechCrunch.

[Ed. Note: This story link was also submitted by darkfeline.]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Insightful) by Anonymous Coward on Friday February 24 2017, @09:53PM

    by Anonymous Coward on Friday February 24 2017, @09:53PM (#471336)

    One more step
    Please complete the security check to access blog.cloudflare.com

    ... Followed by an unsolvable captcha.

    Cloudflare has decided that my IP address is doing something naughty, so they have permanently blocked me from accessing 90% of sites on the Internet. That all cloudflare.com sites, so I can't even report the bug.

    Starting Score:    0  points
    Moderation   +2  
       Insightful=1, Touché=1, Total=2
    Extra 'Insightful' Modifier   0  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Friday February 24 2017, @10:04PM

    by Anonymous Coward on Friday February 24 2017, @10:04PM (#471339)

    If your creator isn't able to make you smart enough to solve a CAPTCHA then don't expect our help!

    • (Score: 1, Funny) by Anonymous Coward on Friday February 24 2017, @10:23PM

      by Anonymous Coward on Friday February 24 2017, @10:23PM (#471344)

      If you're such a hotshot, explain how you would solve this captcha: http://imgur.com/a/lXFBY [imgur.com]

      • (Score: 0) by Anonymous Coward on Friday February 24 2017, @10:25PM

        by Anonymous Coward on Friday February 24 2017, @10:25PM (#471345)

        It appears to be an exclamation point "!"

      • (Score: 0) by Anonymous Coward on Friday February 24 2017, @10:46PM

        by Anonymous Coward on Friday February 24 2017, @10:46PM (#471350)

        that's the default captcha when you're blocking javascript from the first party.

      • (Score: 0) by Anonymous Coward on Saturday February 25 2017, @02:32PM

        by Anonymous Coward on Saturday February 25 2017, @02:32PM (#471494)

        That one is EASY! The answer is "hunter2" (without the quotes).

  • (Score: 3, Informative) by fishybell on Friday February 24 2017, @10:17PM

    by fishybell (3156) on Friday February 24 2017, @10:17PM (#471343)

    Tor does have its downsides.

  • (Score: 3, Informative) by butthurt on Friday February 24 2017, @11:35PM

    by butthurt (6141) on Friday February 24 2017, @11:35PM (#471363) Journal